Skip to content

fix(webapp): add clawdi.ai to embed allowlist and fix domain validation#37

Merged
kingsleydon merged 1 commit intomainfrom
fix/embed-allowlist-clawdi
Mar 24, 2026
Merged

fix(webapp): add clawdi.ai to embed allowlist and fix domain validation#37
kingsleydon merged 1 commit intomainfrom
fix/embed-allowlist-clawdi

Conversation

@kingsleydon
Copy link
Copy Markdown
Collaborator

@kingsleydon kingsleydon commented Mar 24, 2026

Summary

  • Add *.clawdi.ai to embed page allowed domains (middleware, CSP headers, next.config)
  • Fix domain validation bypass: replace string.includes() with new URL() hostname parsing + endsWith() suffix matching, preventing spoofed domains like evil-phala.com from bypassing the check

Test plan

  • Verify embed page loads in iframe from *.phala.com, *.phala.network, *.clawdi.ai
  • Verify embed page returns 403 from unauthorized domains
  • Verify evil-phala.com or phala.com.evil.com are correctly rejected

🤖 Generated with Claude Code

@kingsleydon @claude
fix(webapp): add clawdi.ai to embed allowlist and fix domain validati…
9585454 
…on bypass

Use URL parsing with hostname suffix matching instead of string includes()
to prevent domain spoofing (e.g. evil-phala.com bypassing the check).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
trust-center Ready Ready Preview, Comment Mar 24, 2026 7:49am

Request Review

@kingsleydon kingsleydon merged commit 29d6994 into main Mar 24, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kingsleydon